Method and device for securing patient data

ABSTRACT

The invention relates to a method and device for securing patient data when exchanging information between a patient and a specialist via a data network using computers. The invention involves the use of a first web server, which serves to exchange data pertaining to the individual who is the patient, and of a second web server, which serves to exchange data pertaining to the ailments of the patient.

The invention is based on a method and a device to secure patient datain the case of an exchange of information in accordance with thecharacterizing portion of claim 1 and of claim 6.

Should a person require medical advice from a specialist, for examplefrom a doctor, he must request an appointment with the relevantspecialist and discuss the symptoms of his illness in a personaldiscussion with the doctor. As a rule, it is not possible for thepatient to receive an immediate response to his questions as soon as thecomplaints emerge. Telephone information is normally not provided. Ifthe person is not in any acute pain and is simply interested in amedical question, the only place he can search for an answer is in thespecialist medical literature.

Exchange of patient data between specialists such as doctors ortherapists, for example, takes place in personal discussions or inwriting. An exchange of patient data with the aid of a computer networkdoes not satisfy the heightened security requirements, since it is notpossible to rule out the possibility of the data coming to the knowledgeof third parties.

As a result of these disadvantages, the combination of informationtechnology and telecommunications known in an abbreviated form astelematics is not applied within the health care sector.

In contrast, the method according to the invention with the features ofclaim 1 and the device according to the invention with the features ofclaim 6 offer the advantage that patient data can be exchanged over adata network, for example the Internet, without this involving any riskthat said data could come to the knowledge of third parties in anunauthorized manner. In this way, a patient can put their question to aspecialist in the field of medicine, for example. In this process, thepatient data is completely anonymized, in order to guarantee thesecurity and confidentiality of the transmitted data. The user orpatient provides the information required of him, such as his name,address and possibly his bank account details, by means of a form. Thepatient is not given the opportunity to enter his complaints or hisillness at this point. Entries of these types are suppressed by means ofpredefined fields in the form. Once the patient has entered his data, anidentification number is assigned to him through the Web server and/orthe database server. A mailbox is set up for the patient under thisidentification number, whereby said mailbox can only be used for aspecific period of time. At the end of a stipulated period of time, theidentification number and the associated mailbox are deleted forsecurity reasons. Should the patient wish to direct a question to aspecialist, he is required to first enter his identification number in asecond form and then enter the question. The patient does not require ane-mail address for this purpose. It is sufficient for the patient tohave Internet access at his disposal. As soon as the patient has senthis question, a check can be run to establish whether the identificationnumber provided is valid and, should payment be required, to determinewhether the patient has already paid for his question. Provided that theidentification number is valid and payment has been effected, thequestion is forwarded to a specialist and answered by said specialist.The answer is filed in the mailbox held under the identification numberand can be retrieved by the patient upon entering his identificationnumber. For security reasons, the answer in this case appears in aninvisible frameset. This eliminates the possibility of the user enteringa

URL directly into the address bar and thereby being able to obtain datafiled on the servers without actually wishing to.

This strict separation of the data concerning the patient's person andhis question makes it possible to ensure that the patient data issufficiently protected and cannot be viewed without authorization.

To separate the data concerning the person on the one hand and the dataconcerning the question on the other hand, a first Web server isprovided for the personal data and a second Web server for the questiondata. Each of the two Web servers is connected to the Internet via arouter. The first and second Web servers are connected to databaseservers. This may involve one or more database servers. The first Webserver and the second Web server are completely isolated from eachother.

A physical separation is provided between the Web servers and thedatabase server. In this way, third parties are prevented from obtainingunauthorized access to the database server's data over the Internet.

In order to increase data security, the database server's data is backedup to an external storage medium at regular time intervals and the datapresent on the database server is deleted. Should the contents of thedatabase server be subjected to unauthorized access by third parties,access in this case shall be restricted to the data accumulated sincethe last data backup. An appropriate interval for the creation of databackups is 48 hours, for example.

According to a further preferred embodiment of the invention, the datacan be encrypted prior to sending and decrypted upon receipt in order tofurther increase data security. Known methods of data encryption andcryptography are suitable for this purpose. The device according to theinvention can be equipped with a crypto module for encryption anddecryption purposes.

The data present on the second Web server and the database server do nothave to be correspondingly backed up by means of elaborate data backupprocesses, since they only contain the identification numbers and thequestions, together with the answers relating to the individual cases.Should this data be accessed by unauthorized parties, it would beimpossible for the data to be assigned to any specific person. The datatherefore requires no stronger protection than a standard mailing list.In contrast, the data on the first Web server is more heavily protected,since it contains personal data, and possibly bank account details.

This elevated level of security for patient data makes it possible toalso apply telematics within the health care sector, thereby opening upthe possibility of telediagnosis, telepathology, teletherapy andtelematics in outpatient care. Patient data can be exchanged not onlybetween the patient and a doctor, but also between doctors, therapistsand other specialists. Specialists can refer patients to other doctorsor keep them updated. Data that does not relate to a patient can be madeavailable in a database that is freely accessible to users. These kindsof knowledge databases will have an important role to play in the fieldof medical care. The networking of medical care structures leads toimproved and facilitated patient care. In certain circumstances itenables doctor's visits or hospital stays to be avoided. The datanetwork can be divided up into multiple segments, each of which takesinto consideration the varied interests of different target groups.

Participation in a platform of this type in a data network involves amultitude of advantages for doctors. Treatment capacities can be betterexploited. Up-to-date information improves the level of knowledgerequired for daily work. The doctor can receive advice with respect topractice management, benchmarking, consulting and separate contractswith health insurance companies. Specialists can join together to creategroups. As a group, doctors have decisive advantages, in particular inrelation to health insurance companies, industry and legislators.Furthermore, discounts can be obtained for purchasing medical practicesupplies.

Patients have the opportunity to join together via the data network toform self-help groups, which can enable the exchange of experiences,knowledge and clinical pictures. Patients may voluntarily reveal theiridentity for this purpose, though this is not necessary.

According to a preferred embodiment of the invention, a first and asecond database server are provided, both of which are connected both tothe first and to the second Web server. This separation between thefirst and the second Web server on the one hand, and the first and thesecond database server on the other hand, not only increases securitywith regard to unauthorized access to data but also ensures that thesystem continues to be functional even in the event of the failure ofone of the servers.

The second form for entering the question can present the patient withvarious preselected subject areas. In this way, the patient is asked toassign his question to a specific field. This makes it easier to answerthe questions. The fact that the answers must be phrased in a verygeneral manner and may not take into consideration any individualinformation means that the answer can be automated. The answers createdby the specialists, for example by doctors, are filed in a database andassigned to a defined clinical picture. For a question submitted by apatient, it is sufficient to define the clinical picture and retrievethe answers filed in the database. This serves to greatly minimizeeditorial effort.

Further advantages and advantageous embodiments of the invention shallbe drawn from the following description, the drawing and the claims.

DRAWING

The drawing shows an example embodiment of the invention, which isdescribed in more detail below. It shows the following:

FIG. 1 Diagrammatic view of the various components of the deviceaccording to the invention.

DESCRIPTION OF THE EXAMPLE EMBODIMENT

The patient's data, his question and the answer are exchanged with theaid of the Internet. The router is situated at the interface between theInternet and the device. From there, the patient's personal data, suchas his name and address, for example, reach the first Web server andcontinue to the first database server. The first database server assignsthe patient an identification number and forwards it to the patient viathe first Web server and the Internet. The questions with theirassociated identification numbers and the answers are exchanged andfiled via the second Web server. The drawing clearly shows that thefirst and the second Web servers are completely isolated from eachother, as are the first and the second database servers. The seconddatabase server is primarily used for discussion groups or forums.Should the first database server fail, then the second database servercan take over its tasks.

In order to increase security, physical separation is provided betweenthe two Web servers and the database servers.

With the aid of streamers, backup copies of the data are created via abackup server. The mail server connected to the Internet via the routerserves to transmit further data, such as articles on specific topics andadvice on nutrition and physical activity, for example. This exchange ofdata is conducted via e-mail.

All of the features contained in the description, the following claimsand the drawing may be material to the invention both individually andin any combination with each other.

1. Method of securing patient data in the case of an exchange ofinformation through a data network with the aid of computers, comprisingthe steps of entering the patient's name and address in a first formdisplayed on a screen of a computer, assigning the patient anidentification number, displaying the identification number on thescreen, entering the identification number and a question in a secondform displayed on the screen, assigning the answer to the question tothe identification number and displaying the answer to the question onthe screen when the identification number is specified.
 2. Method ofclaim 1, further comprising the step of processing and storing thepatient's name and address on the one hand and the question and answeron the other hand on separate Web servers and/or separate databaseservers.
 3. Method of claim 1, further comprising the step of deletingthe identification number at the end of a stipulated period of time. 4.Method of claim 1, further comprising the steps of saving the patient'sname and address filed on a Web server and/or database server to anexternal data medium at the end of a stipulated period of time anddeleting the patient's name and address from the Web server and/ordatabase server.
 5. Method of claim 1 further comprising the steps of,encrypting the data is encrypted prior to sending and decrypting thedata upon receipt.
 6. Method of claim 1, wherein the answer is displayedin an invisible frameset.
 7. Device for securing patient data in thecase of an exchange of information between a patient and a specialist bymeans of a data network, in particular for performing the method ofclaim 1, comprising a first Web server and a database server connectedto the first Web server, through which the patient's name and addressare entered and saved, and through which the patient is assigned anidentification number, a second Web server, through which the patient isable to exchange data with a specialist under his identification number,the second Web server is connected to the database server, and the firstWeb server and the second Web server are isolated from each other. 8.Device of claim 7, wherein physical separation is provided between thefirst Web server and the database server on the one hand, and betweenthe second Web server and the database server on the other hand. 9.Device of claim 7, further comprising a second database server saidsecond database server is connected to the first and/or the second Webserver.
 10. Device of claim 7, further comprising a backup unit, whichsaves the data from the database server to an external data medium atregular intervals of time and deletes the data from the database server.11. Device of claim 7, further comprising a crypto module for thepurpose of encrypting and decrypting the data.
 12. Method of claim 2,further comprising the step of deleting the identification number at theend of a stipulated period of time.
 13. Method of claim 2, furthercomprising the steps of saving the patient's name and address filed on aWeb server and/or a database server are saved to an external data mediumat the end of a stipulated period of time and deleting the patient'sfrom the Web server and/or database server.
 14. Method of claim 12,further comprising the steps of saving the patient's name and addressfiled on a Web server and/or a database server are saved to an externaldata medium at the end of a stipulated period of time and name andaddress from the Web server and/or database server.
 15. Method of claim14, further comprising the step of encrypting the data prior to sendingand decrypting the data upon receipt.
 16. Method of claim 15, whereinthe answer is displayed in an invisible frameset.
 17. Device forsecuring patient data in the case of an exchange of information betweena patient and a specialist by means of a data network, in particular forperforming the method of claim 16, comprising a first Web server and adatabase server connected to the first Web server, through which thepatient's name and address are entered and saved, and through which thepatient is assigned an identification number, a second Web server,through which the patient is able to exchange data with a specialistunder his identification number, the second Web server is connected tothe database server, and the first Web server and the second Web serverare isolated from each other.
 18. Device of claim 17, wherein physicalseparation is provided between the first Web server and the databaseserver on the one hand, and between the second Web server and thedatabase server on the other hand.
 19. Device of claim 8, furthercomprising a second database server, which is connected to the firstand/or the second Web server.
 20. Device of claim 18, further comprisinga second database server, which is connected to the first and/or thesecond Web server.